pwshub.com

Cybercrooks are typosquatting to exploit CrowdStrike fallout

Thousands of typosquatting domains are now registered to exploit the desperation of IT admins still struggling to recover from last week's CrowdStrike outage, researchers say.

According to security shop SentinelOne, the number is growing by the day, however, current attempts are still relatively unsophisticated and largely opportunistic.

Typosquatting, as Reg readers know, is the term given to cybercrime that involves registering domains of interest but with small typos in the hope of catching genuine users and ultimately exploiting them for money.

Looking at examples of these campaigns, it's difficult to see what admin in their right mind would fall for this kind of crud, yet clearly some people think there's a business opportunity here.

Various forms of extortion and phishing have been spotted on these domains, and the most popular route appears to be themed around the sale of a fix.

SentinelOne offered one example, the now-dead URL for which was fix-crowdstrike-apocalypse[.]com, and showed how an executable to fix the BSOD issues was selling for €500,000 ($543 million) and the source code for it selling for double.

Looking at that URL, who's getting fooled by this, really? A tech-illiterate user, maybe. CrowdStrike caters to the enterprise crowd, the professionals, so it's difficult to see how successful this would be, especially with prices like that.

Every campaign is different and potentially not quite as vacuous as this one. Some of the other domains, for example, are ever so slightly trickier:

  • crowdstrikefix[.]com

  • crowdstrike-helpdesk[.]com

  • crowdstrikebsod[.]com

Financial extortion isn't the only play either. Some researchers were reporting as early as Saturday, the day after the outage began, that phishing campaigns were under way designed to deliver remote access trojans such as Remcos disguised as hotfixes.

The incident wasn't isolated and CrowdStrike was forced to issue a public memo on the same day warning against opportunistic cybercriminals exploiting the situation.

"CrowdStrike Intelligence recommends that organizations ensure they are communicating with CrowdStrike representatives through official channels and adhere to technical guidance the CrowdStrike support teams have provided," it said.

  • EU gave CrowdStrike the keys to the Windows kernel, claims Microsoft
  • CrowdStrike's Falcon Sensor also linked to Linux kernel panics and crashes
  • CrowdStrike Windows patchpocalypse could take weeks to fix, IT admins fear
  • Cybercriminals quickly exploit CrowdStrike chaos

Another warning came on Monday after the vendor spotted a Word document riddled with malicious macros doing the rounds, leading to a previously unidentified information stealer it now calls Daolpu.

Outage woes persist

Some CrowdStrike customers are still in the process of recovering their machines from BSOD errors days after the botched Falcon update.

So far, one of the best routes out of the trouble has been to repeatedly reboot affected machines and hope for the best. That's Microsoft's guidance for Azure VMs anyway. 

CrowdStrike has regularly updated its dedicated remediation page for the incident since Friday, with a number of methods now available to customers, and it's the first port of call for anyone still struggling to recover.

Information was being disseminated across social media, from various accounts, in the early hours of the incident – even from the director of OverWatch at CrowdStrike, Brody Nisbet. Nisbet has since deleted all of his xeets about the matter, replacing them with a pointer to the remediation page.

"If you're visiting my timeline looking for tweets on remediation guidance, they were removed when we stood up a public-facing web page to centralize our response," he said today.

According to some admins who have reported their experience of dealing with CrowdStrike directly in the last few hours, the vendor is encouraging customers to opt into an initiative that allows CrowdStrike itself to remediate affected endpoints from the cloud.

It requires contact with the support portal, doesn't work every time, and the feedback from others who say they've gone through the process has been mixed.

Some report a rapid acceleration in the remediation process with hundreds of endpoints fixed in rapid time, while others are stuck rebooting several times over in a largely hit-and-miss endeavor.

Security expert Kevin Beaumont echoed the issues: "CrowdStrike are touting auto-remediation of blue screen as an opt-in feature.

"However, I just tried it – it's not very successful, most boots still blue screen of death. I think CS need to be careful on messaging about this as it sounds like they're offering it as a silver bullet. It only works if networking kicks in and the agent updates before Windows finishes booting." ®

Source: theregister.com

Related stories
1 month ago - PSA: Only accept updates via official channels ... ironically enough CrowdStrike is the latest lure being used to trick Windows users into downloading and running the notorious Lumma infostealing malware, according to the security shop's...
1 month ago - Concerns abound over why it has taken so long to recover compared to competitors The US Department of Transportation (DoT) is investigating Delta Air Lines over its handling of the global IT outage caused by CrowdStrike's content update.…
1 month ago - Something called 'Content Validator' did not validate the content, and the rest is history CrowdStrike has blamed a bug in its own test software for the mass-crash-event it caused last week.…
1 month ago - Let SANS help you get to grips with the shifting landscape of cloud security Sponsored Post  Our reliance on the cloud continues to grow steadily, with a greater variety of services than ever being hosted in it.…
1 month ago - One arrest was made weeks ago but no word on the suspect's identity yet A DDoS-for-hire site described by the UK's National Crime Agency (NCA) as the world's most prolific operator in the field is out-of-action following a law enforcement...
Other stories
1 hour ago - On TikTok and across the internet, a claim pushed by Trump and the right about Haitians eating cats and dogs in Springfield, Ohio has morphed from a potentially vicious anti-immigrant trope into fodder for memes from both left and right....
2 hours ago - "As the commander of pilot of your spacecraft, you don’t want to see it go off without you."
2 hours ago - In a detailed interview with CNET following the reveal of Sony's PlayStation 5 Pro console, designer Mark Cerny confirmed rumors that the device's ray tracing capabilities are built on an architecture not yet available in AMD's PC...
2 hours ago - Here are some of my best time-saving tricks when using Microsoft Office and Google Workspace including dictating text, freezing spreadsheet panels and recovering old file edits.
3 hours ago - These Advent calendars are filled with everything from tea and chocolate to Legos and much more.